+92 303 800 1800   

Cross Site Scripting (XSS) Vulnerability Reports to Vimeo And XMarks

Reported two very minor XSS (Cross Site Scripting) bugs were discovered and reported, and both were fixed within next few hours. These were quite interesting and little different then usual, that’s why I would like to share these findings. Below are my reports to the Vimeo and XMarks for my discoveries today.

My Report to Vimeo:

A cross site scripting vulnerability was discovered when I tried to connected my Dropbox Folder with Vimeo.

Please follow the steps to reproduce:
1: Login to vimeo Account
2: Navigate to My Settings / Apps
3: Connect Dropbox
4: Click the checkbox “Auto-upload from: ” and a pop-up window will open to select the folder
5: Create new folder with a payload as name.
Payload: “><img src=x onerror=alert(1)>
And pop-up will appear as attached image.

Vimeo Cross Site Scripting Vulnerability – POC

 

My Report to XMarks:

Recently, I have discovered a Persistent Cross Site Scripting Vulnerability in XMarks Dashboard. Please follow the steps to reproduce:
1: Login to xmarks dashboard.
2: Create a new folder with a payload as name (payload mentioned below).
3: Create a bookmark inside the folder.
Payload: “><img src=x onerror=alert(1)>
When you will save it, this text will change into “> only.
4: Now rename the Folder and retype the payload, but this time it will be saved as full code instead of “>. And it is persistent, everytime the page is reloaded it will be executed.
© 2018. All Rights Reserved!